Linux 2.12 Open Source Gold Release

Added Ubuntu 20.04 and CentOS 8.2 support.
Added Intel(R) Provisioning Certification Service V3 API support for ECDSA attestation.
Fixed bugs.

Signed-off-by: Li, Xun <[email protected]>

Author: llly

Makefile

@@ -137,9 +137,13 @@ deb_libsgx_enclave_common: psw
 deb_libsgx_urts: psw
 	./linux/installer/deb/libsgx-urts/build.sh
 
+.PHONY: deb_libsgx_headers_pkg
+deb_libsgx_headers_pkg: 
+	./linux/installer/deb/libsgx-headers/build.sh
+
 ifeq ($(CC_BELOW_5_2), 1)
 .PHONY: deb_psw_pkg
-deb_psw_pkg: deb_libsgx_qe3_logic deb_libsgx_pce_logic deb_sgx_aesm_service deb_libsgx_epid deb_libsgx_launch deb_libsgx_quote_ex deb_libsgx_uae_service deb_libsgx_enclave_common deb_libsgx_urts deb_libsgx_ae_qe3
+deb_psw_pkg: deb_libsgx_headers_pkg deb_libsgx_qe3_logic deb_libsgx_pce_logic deb_sgx_aesm_service deb_libsgx_epid deb_libsgx_launch deb_libsgx_quote_ex deb_libsgx_uae_service deb_libsgx_enclave_common deb_libsgx_urts deb_libsgx_ae_qe3
 else
 .PHONY: deb_libsgx_dcap_default_qpl
 deb_libsgx_dcap_default_qpl:
@@ -183,7 +187,7 @@ deb_sgx_ra_service_pkg:
 
 
 .PHONY: deb_psw_pkg
-deb_psw_pkg: deb_libsgx_qe3_logic deb_libsgx_pce_logic deb_sgx_aesm_service deb_libsgx_epid deb_libsgx_launch deb_libsgx_quote_ex deb_libsgx_uae_service deb_libsgx_enclave_common deb_libsgx_urts deb_libsgx_ae_qe3 deb_libsgx_dcap_default_qpl deb_libsgx_dcap_pccs deb_libsgx_dcap_ql deb_libsgx_ae_qve deb_sgx_dcap_quote_verify deb_sgx_pck_id_retrieval_tool_pkg deb_sgx_ra_service_pkg
+deb_psw_pkg: deb_libsgx_headers_pkg deb_libsgx_qe3_logic deb_libsgx_pce_logic deb_sgx_aesm_service deb_libsgx_epid deb_libsgx_launch deb_libsgx_quote_ex deb_libsgx_uae_service deb_libsgx_enclave_common deb_libsgx_urts deb_libsgx_ae_qe3 deb_libsgx_dcap_default_qpl deb_libsgx_dcap_pccs deb_libsgx_dcap_ql deb_libsgx_ae_qve deb_sgx_dcap_quote_verify deb_sgx_pck_id_retrieval_tool_pkg deb_sgx_ra_service_pkg
 endif
 
 .PHONY: deb_local_repo
@@ -238,9 +242,13 @@ rpm_libsgx_urts: psw
 rpm_sdk_pkg: sdk
 	./linux/installer/rpm/sdk/build.sh
 
+.PHONY: rpm_libsgx_headers_pkg
+rpm_libsgx_headers_pkg: 
+	./linux/installer/rpm/libsgx-headers/build.sh
+
 ifeq ($(CC_BELOW_5_2), 1)
 .PHONY: rpm_psw_pkg
-rpm_psw_pkg: rpm_libsgx_pce_logic rpm_libsgx_qe3_logic rpm_sgx_aesm_service rpm_libsgx_epid rpm_libsgx_launch rpm_libsgx_quote_ex rpm_libsgx_uae_service rpm_libsgx_enclave_common rpm_libsgx_urts rpm_libsgx_ae_qe3
+rpm_psw_pkg: rpm_libsgx_headers_pkg rpm_libsgx_pce_logic rpm_libsgx_qe3_logic rpm_sgx_aesm_service rpm_libsgx_epid rpm_libsgx_launch rpm_libsgx_quote_ex rpm_libsgx_uae_service rpm_libsgx_enclave_common rpm_libsgx_urts rpm_libsgx_ae_qe3
 else
 .PHONY: rpm_libsgx_dcap_default_qpl
 rpm_libsgx_dcap_default_qpl:
@@ -282,7 +290,7 @@ rpm_sgx_ra_service_pkg:
 	$(CP) external/dcap_source/tools/SGXPlatformRegistration/build/installer/libsgx-ra-*rpm ./linux/installer/rpm/sgx-aesm-service/
 
 .PHONY: rpm_psw_pkg
-rpm_psw_pkg: rpm_libsgx_pce_logic rpm_libsgx_qe3_logic rpm_sgx_aesm_service rpm_libsgx_epid rpm_libsgx_launch rpm_libsgx_quote_ex rpm_libsgx_uae_service rpm_libsgx_enclave_common rpm_libsgx_urts rpm_libsgx_ae_qe3 rpm_libsgx_dcap_default_qpl rpm_libsgx_dcap_pccs rpm_libsgx_dcap_ql rpm_libsgx_ae_qve rpm_sgx_dcap_quote_verify rpm_sgx_pck_id_retrieval_tool_pkg rpm_sgx_ra_service_pkg
+rpm_psw_pkg: rpm_libsgx_headers_pkg rpm_libsgx_pce_logic rpm_libsgx_qe3_logic rpm_sgx_aesm_service rpm_libsgx_epid rpm_libsgx_launch rpm_libsgx_quote_ex rpm_libsgx_uae_service rpm_libsgx_enclave_common rpm_libsgx_urts rpm_libsgx_ae_qe3 rpm_libsgx_dcap_default_qpl rpm_libsgx_dcap_pccs rpm_libsgx_dcap_ql rpm_libsgx_ae_qve rpm_sgx_dcap_quote_verify rpm_sgx_pck_id_retrieval_tool_pkg rpm_sgx_ra_service_pkg
 endif
 
 .PHONY: rpm_local_repo
@@ -304,6 +312,7 @@ clean:
 	./linux/installer/deb/libsgx-uae-service/clean.sh
 	./linux/installer/deb/libsgx-enclave-common/clean.sh
 	./linux/installer/deb/libsgx-urts/clean.sh
+	./linux/installer/deb/libsgx-headers/clean.sh
 	./linux/installer/common/local_repo_builder/local_repo_builder.sh debian clean
 	./linux/installer/rpm/sgx-aesm-service/clean.sh
 	./linux/installer/rpm/libsgx-epid/clean.sh
@@ -312,6 +321,7 @@ clean:
 	./linux/installer/rpm/libsgx-uae-service/clean.sh
 	./linux/installer/rpm/libsgx-enclave-common/clean.sh
 	./linux/installer/rpm/libsgx-urts/clean.sh
+	./linux/installer/rpm/libsgx-headers/clean.sh
 	./linux/installer/rpm/sdk/clean.sh
 	./linux/installer/common/local_repo_builder/local_repo_builder.sh rpm clean
 ifeq ("$(shell test -f external/dcap_source/QuoteVerification/dcap_tvl/Makefile && echo TVL Makefile exists)", "TVL Makefile exists")

README.md

@@ -55,11 +55,12 @@ Build the Intel(R) SGX SDK and Intel(R) SGX PSW Package
   * Ubuntu\* 16.04 LTS Server 64bits
   * Ubuntu\* 18.04 LTS Desktop 64bits
   * Ubuntu\* 18.04 LTS Server 64bits
+  * Ubuntu\* 20.04 LTS Desktop 64bits
+  * Ubuntu\* 20.04 LTS Server 64bits
   * Red Hat Enterprise Linux Server release 7.6 64bits
   * Red Hat Enterprise Linux Server release 8.2 64bits
-  * CentOS 8.1 64bits
+  * CentOS 8.2 64bits
   * Fedora 31 Server 64bits
-  * SUSE Linux Enterprise Server 15 64bits
 
 - Use the following command(s) to install the required tools to build the Intel(R) SGX SDK:  
   * On Ubuntu 16.04:
@@ -70,13 +71,17 @@ Build the Intel(R) SGX SDK and Intel(R) SGX PSW Package
   ```
     $ sudo apt-get install build-essential ocaml ocamlbuild automake autoconf libtool wget python libssl-dev git cmake perl
   ```
+  * On Ubuntu 20.04:
+  ```
+    $ sudo apt-get install build-essential ocaml ocamlbuild automake autoconf libtool wget python-is-python3 libssl-dev git cmake perl
+  ```
   * On Red Hat Enterprise Linux 7.6, Red Hat Enterprise Linux 8.2:
   ```
     $ sudo yum groupinstall 'Development Tools'
     $ sudo yum install ocaml ocaml-ocamlbuild wget python2 openssl-devel git cmake perl
     $ sudo alternatives --set python /usr/bin/python2
   ```
-  * On CentOS 8.1:
+  * On CentOS 8.2:
   ```
     $ sudo dnf group install 'Development Tools'
     $ sudo dnf --enablerepo=PowerTools install ocaml ocaml-ocamlbuild redhat-rpm-config openssl-devel wget rpm-build git cmake perl python2
@@ -86,37 +91,28 @@ Build the Intel(R) SGX SDK and Intel(R) SGX PSW Package
   ```
     $ sudo yum groupinstall 'C Development Tools and Libraries'
     $ sudo yum install ocaml ocaml-ocamlbuild redhat-rpm-config openssl-devel wget python rpm-build git cmake perl
-  ```
-  * On SUSE Linux Enterprise Server 15:
-  ```
-    $ sudo zypper install --type pattern devel_basis
-    $ sudo zypper install ocaml ocaml-ocamlbuild automake autoconf libtool wget python libopenssl-devel rpm-build git cmake perl
   ```
    **Note**:  To build Intel(R) SGX SDK, gcc version is required to be 7.3 or above and glibc version is required to be 2.27 or above. For Ubuntu 16.04, Red Hat Enterprise Linux 7.6, you may need to update gcc and glibc version manually.
 - Use the following command to install additional required tools and latest Intel(R) SGX SDK Installer to build the Intel(R) SGX PSW:  
   1)  To install the additional required tools:
-      * On Ubuntu 16.04 and Ubuntu 18.04:
+      * On Ubuntu 16.04, Ubuntu 18.04 and Ubuntu 20.04:
       ```
         $ sudo apt-get install libssl-dev libcurl4-openssl-dev protobuf-compiler libprotobuf-dev debhelper cmake reprepro unzip
       ```
       * On Red Hat Enterprise Linux 7.6, Red Hat Enterprise Linux 8.2 and Fedora 31:
       ```
         $ sudo yum install openssl-devel libcurl-devel protobuf-devel cmake rpm-build createrepo yum-utils
       ```
-      * On CentOS 8.1:
+      * On CentOS 8.2:
       ```
         $ sudo dnf --enablerepo=PowerTools install openssl-devel libcurl-devel protobuf-devel cmake rpm-build createrepo yum-utils
       ```
-      * On SUSE Linux Enterprise Server 15:
-      ```
-        $ sudo zypper install libopenssl-devel libcurl-devel protobuf-devel cmake rpm-build createrepo
-      ```
   2) To install latest Intel(R) SGX SDK Installer
   Ensure that you have downloaded latest Intel(R) SGX SDK Installer from the [Intel(R) SGX SDK](https://software.intel.com/en-us/sgx-sdk/download) and followed the Installation Guide in the same page to install latest Intel(R) SGX SDK Installer.
 
 - Download the source code and prepare the submodules and prebuilt binaries:
 ```
-   $ git clone https://github.com/intel/linux-sgx.git 
+   $ git clone https://github.com/intel/linux-sgx.git
    $ cd linux-sgx && make preparation
 ```
   The above ``make preparation`` would trigger the script ``download_prebuilt.sh`` to download the prebuilt binaries. You may need to set an https proxy for the `wget` tool used by the script (such as ``export https_proxy=http://test-proxy:test-port``)  
@@ -188,13 +184,13 @@ You can find the tools and libraries generated in the `build/linux` directory.
   $ make
 ``` 
 - To build the Intel(R) SGX PSW installer, enter the following command:
-  * On Ubuntu 16.04 and Ubuntu 18.04:
+  * On Ubuntu 16.04, Ubuntu 18.04 and Ubuntu 20.04:
    ```
   $ make deb_psw_pkg
   ```
   You can find the generated Intel(R) SGX PSW installers located under `linux/installer/deb/libsgx-urts`, `linux/installer/deb/libsgx-enclave-common`, `linux/installer/deb/libsgx-uae-service`, `linux/installer/deb/libsgx-epid`, `linux/installer/deb/libsgx-launch`, `linux/installer/deb/libsgx-quote-ex` and `linux/installer/deb/sgx-aesm-service` respectively.
 
-  **Note**: On Ubuntu 18.04, besides the Intel(R) SGX PSW installer, the above command generates another debug symbol package named ``package-name-dbgsym_${version}-${revision}_amd64.ddeb`` for debug purpose. On Ubuntu 16.04, if you want to keep debug symbols in the Intel(R) SGX PSW installer, before building the Intel(R) SGX PSW, you need to export an environment variable to ensure the debug symbols not stripped:
+  **Note**: On Ubuntu 18.04 and Ubuntu 20.04, besides the Intel(R) SGX PSW installer, the above command generates another debug symbol package named ``package-name-dbgsym_${version}-${revision}_amd64.ddeb`` for debug purpose. On Ubuntu 16.04, if you want to keep debug symbols in the Intel(R) SGX PSW installer, before building the Intel(R) SGX PSW, you need to export an environment variable to ensure the debug symbols not stripped:
    ```
    $ export DEB_BUILD_OPTIONS="nostrip"
    ```
@@ -204,7 +200,7 @@ You can find the tools and libraries generated in the `build/linux` directory.
   ```
   $ make deb_psw_pkg DEBUG=1
   ```
-  * On Red Hat Enterprise Linux 7.6, Red Hat Enterprise Linux 8.2, CentOS 8.1, Fedora 31 and SUSE Linux Enterprise Server 15:
+  * On Red Hat Enterprise Linux 7.6, Red Hat Enterprise Linux 8.2, CentOS 8.2 and Fedora 31:
   ```
   $ make rpm_psw_pkg
   ```
@@ -233,8 +229,12 @@ You can find the tools and libraries generated in the `build/linux` directory.
   ```
   deb [trusted=yes arch=amd64] file:/PATH_TO_LOCAL_REPO bionic main
   ```
+  * On Ubuntu 20.04:
+  ```
+  deb [trusted=yes arch=amd64] file:/PATH_TO_LOCAL_REPO focal main
+  ```
   After that, you need to update the apt:
-  * On Ubuntu 16.04 and Ubuntu 18.04:
+  * On Ubuntu 16.04, Ubuntu 18.04 and Ubuntu 20.04:
   ```
   $ sudo apt update
   ```
@@ -248,23 +248,15 @@ You can find the tools and libraries generated in the `build/linux` directory.
   **Note**: The above command builds the local package repository. If you want to use it, you need to add it to the system repository configuration. Since the local package repository is not signed with GPG, you should ignore the gpgcheck when installing the packages.
 
   - To add the local RPM package repository to the system repository configuration, you can use the following command. You need to replace PATH_TO_LOCAL_REPO with the proper path on your system:
-  * On Red Hat Enterprise Linux 7.6, Red Hat Enterprise Linux 8.2, CentOS 8.1, Fedora 31:
+  * On Red Hat Enterprise Linux 7.6, Red Hat Enterprise Linux 8.2, CentOS 8.2, Fedora 31:
   ```
   $ sudo yum-config-manager --add-repo file://PATH_TO_LOCAL_REPO
   ```
-  * On SUSE Linux Enterprise Server 15, you need to replace LOCAL_REPO_ALIAS with proper alias name for the local repo:
-  ```
-  $ sudo zypper addrepo PATH_TO_LOCAL_REPO LOCAL_REPO_ALIAS
-  ```
   - To ignore the gpgcheck when you install the package, enter the following command:
-  * On Red Hat Enterprise Linux 7.6, Red Hat Enterprise Linux 8.2, CentOS 8.1, Fedora 31:
+  * On Red Hat Enterprise Linux 7.6, Red Hat Enterprise Linux 8.2, CentOS 8.2, Fedora 31:
   ```
   $ sudo yum --nogpgcheck install <package>
   ```
-  * On SUSE Linux Enterprise Server 15:
-  ```
-  $ sudo zypper --no-gpg-checks install <package>
-  ```
 
 Install the Intel(R) SGX SDK
 ------------------------
@@ -274,17 +266,18 @@ Install the Intel(R) SGX SDK
   * Ubuntu\* 16.04 LTS Server 64bits
   * Ubuntu\* 18.04 LTS Desktop 64bits
   * Ubuntu\* 18.04 LTS Server 64bits
+  * Ubuntu\* 20.04 LTS Desktop 64bits
+  * Ubuntu\* 20.04 LTS Server 64bits
   * Red Hat Enterprise Linux Server release 7.6 64bits
   * Red Hat Enterprise Linux Server release 8.2 64bits
-  * CentOS 8.1 64bits
+  * CentOS 8.2 64bits
   * Fedora 31 Server 64bits
-  * SUSE Linux Enterprise Server 15 64bits
 - Use the following command to install the required tool to use Intel(R) SGX SDK:
-  * On Ubuntu 16.04 and Ubuntu 18.04:
+  * On Ubuntu 16.04, Ubuntu 18.04 and Ubuntu 20.04:
   ```  
     $ sudo apt-get install build-essential python
   ```
-  * On Red Hat Enterprise Linux 7.6, Red Hat Enterprise Linux 8.2 and CentOS 8.1:
+  * On Red Hat Enterprise Linux 7.6, Red Hat Enterprise Linux 8.2 and CentOS 8.2:
   ```
      $ sudo yum groupinstall 'Development Tools'
      $ sudo yum install python2
@@ -294,11 +287,6 @@ Install the Intel(R) SGX SDK
   ```
      $ sudo yum groupinstall 'C Development Tools and Libraries'
   ```
-  * On SUSE Linux Enterprise Server 15:
-  ```
-     $ sudo zypper install --type pattern devel_basis
-     $ sudo zypper install python 
-  ```
 
 ### Install the Intel(R) SGX SDK
 To install the Intel(R) SGX SDK, invoke the installer, as follows:
@@ -344,44 +332,41 @@ Install the Intel(R) SGX PSW
   * Ubuntu\* 16.04 LTS Server 64bits
   * Ubuntu\* 18.04 LTS Desktop 64bits
   * Ubuntu\* 18.04 LTS Server 64bits
+  * Ubuntu\* 20.04 LTS Desktop 64bits
+  * Ubuntu\* 20.04 LTS Server 64bits
   * Red Hat Enterprise Linux Server release 7.6 64bits
   * Red Hat Enterprise Linux Server release 8.2 64bits
-  * CentOS 8.1 64bits
+  * CentOS 8.2 64bits
   * Fedora 31 Server 64bits
-  * SUSE Linux Enterprise Server 15 64bits
 - Ensure that you have a system with the following required hardware:  
   * 6th Generation Intel(R) Core(TM) Processor or newer
 - Configure the system with the **Intel SGX hardware enabled** option and install Intel(R) SGX driver in advance.  
   See the earlier topic, *Build and Install the Intel(R) SGX Driver*, for information on how to install the Intel(R) SGX driver.
 - Install the library using the following command:  
-  * On Ubuntu 16.04 and Ubuntu 18.04:
+  * On Ubuntu 16.04, Ubuntu 18.04 and Ubuntu 20.04:
   ```
     $ sudo apt-get install libssl-dev libcurl4-openssl-dev libprotobuf-dev
   ```
   * On Red Hat Enterprise Linux 7.6, Red Hat Enterprise Linux 8.2 and Fedora 31:  
   ```
     $ sudo yum install openssl-devel libcurl-devel protobuf-devel
   ```
-  * On CentOS 8.1:
+  * On CentOS 8.2:
   ```
     $ sudo dnf --enablerepo=PowerTools install libcurl-devel protobuf-devel
   ```
-  * On SUSE Linux Enterprise Server 15:  
-  ```
-    $ sudo zypper install libopenssl-devel libcurl-devel protobuf-devel
-  ```
 
 ### Install the Intel(R) SGX PSW
 - The SGX PSW provides 3 services: launch, EPID-based attestation, and algorithm agnostic attestation. Starting with the 2.8 release, the SGX PSW is split into smaller packages and the user can choose which features and services to install. There are 2 methods to install the required packages: Using individual packages or using the local repo generated by the build system. Using the local repo is recommended since the system will resolve the dependencies automatically. Currently, we support .deb and .rpm based repos. 
 
   #### Using the local repo(recommended)
 
-  |   |Ubuntu 16.04, Ubuntu 18.04|Red Hat Enterprise Linux 7.6, Red Hat Enterprise Linux 8.2, CentOS 8.1, Fedora 31|SUSE Linux Enterprise Server 15|
-  | ------------ | ------------ | ------------ | ------------ |
-  |launch service |apt-get install libsgx-launch libsgx-urts|yum install libsgx-launch libsgx-urts|zypper install libsgx-launch libsgx-urts|
-  |EPID-based attestation service|apt-get install libsgx-epid libsgx-urts|yum install libsgx-epid libsgx-urts|zypper install libsgx-epid libsgx-urts||
-  |algorithm agnostic attestation service|apt-get install libsgx-quote-ex libsgx-urts|yum install libsgx-quote-ex libsgx-urts|zypper install libsgx-quote-ex libsgx-urts|
-  |DCAP ECDSA-based service(Ubuntu16.04 not included)|apt-get install libsgx-dcap-ql|yum install libsgx-dcap-ql|zypper install libsgx-dcap-ql|
+  |   |Ubuntu 16.04, Ubuntu 18.04 and Ubuntu 20.04|Red Hat Enterprise Linux 7.6, Red Hat Enterprise Linux 8.2, CentOS 8.2, Fedora 31|
+  | ------------ | ------------ | ------------ |
+  |launch service |apt-get install libsgx-launch libsgx-urts|yum install libsgx-launch libsgx-urts|
+  |EPID-based attestation service|apt-get install libsgx-epid libsgx-urts|yum install libsgx-epid libsgx-urts|
+  |algorithm agnostic attestation service|apt-get install libsgx-quote-ex libsgx-urts|yum install libsgx-quote-ex libsgx-urts|
+  |DCAP ECDSA-based service(Ubuntu16.04 not included)|apt-get install libsgx-dcap-ql|yum install libsgx-dcap-ql|
 
   Optionally, you can install *-dbgsym or *-debuginfo packages to get the debug symbols, and install *-dev or *-devel packages to get the header files for development.
 
@@ -391,15 +376,15 @@ Install the Intel(R) SGX PSW
   Please refer [Intel_SGX_Installation_Guide_Linux](https://download.01.org/intel-sgx/latest/linux-latest/docs/) for detail.
 
   #### Upgrade from a legacy installation
-  Before release 2.8, SGX PSW is installed as a single package named as libsgx-enclave-common. Starting with the 2.8 release, SGX PSW is split into smaller packages. libsgx-enclave-common is one of them. As a result, a simple upgrade will end up with a subset of the SGX PSW being installed on the system. You need to install additional packages to enable the required feature. At the same time, you will encounter some error message when you try to upgrade to release 2.8 from an old installation. You can use 2 methods to address it.
+  Sometimes we will split old package into smaller ones or move file between different packages. In such cases, you will encounter error messages like: "dpkg: error processing archive ....(--unpack): trying to overwrite ...". You can use 2 methods to address it.
   * Uninstall the old installation first, then install new packages.
   * Add ``-o Dpkg::Options::="--force-overwrite"`` option to overwrite existing files and use “``dist-upgrade``” instead of "upgrade" to install new packages when upgrading. In short, you should use this command:
   ```
   apt-get dist-upgrade -o Dpkg::Options::="--force-overwrite"
   ```
   #### Configure the installation
   Some packages are configured with recommended dependency on other packages that are not required for certain usage. For instance, the background daemon is not required for container usage. It will be installed by default, but you can drop it by using the additional option during the installation.
-  * On Ubuntu 16.04, Ubuntu 18.04:
+  * On Ubuntu 16.04, Ubuntu 18.04 and Ubuntu 20.04:
   ```
     --no-install-recommends
   ```

buildenv.mk

@@ -273,7 +273,7 @@ LD_IPP          := -lippcp
 
 ######## SGX SDK Settings ########
 SGX_SDK ?= /opt/intel/sgxsdk
-SGX_HEADER_DIR := $(SGX_SDK)/include
+SGX_HEADER_DIR ?= $(SGX_SDK)/include
 
 ifeq ($(ARCH), x86)
 	SGX_COMMON_CFLAGS := -m32